As the popularity of the Internet has grown, the proliferation of computer malware has become more common. A typical computer malware is a program or piece of code that is loaded onto a computer and/or performs some undesired actions on a computer without the knowledge or consent of the computer operator. The most widespread, well-known and dangerous type of computer malware are computer viruses, that is, programs or pieces of code that replicate themselves and load themselves onto other connected computers. Once the virus has been loaded onto the computer, it is activated and may proliferate further and/or damage the computer or other computers.
Along with the proliferation of computer viruses and other malware has come a proliferation of software to detect and remove such viruses and other malware. This software is generically known as anti-virus software or programs. In order to detect a virus or other malicious program, an anti-virus program typically scans files stored on disk in a computer system and/or data that is being transferred or downloaded to a computer system, or that is being accessed on a computer system, and compares the data being scanned with profiles that identify various kinds of malware. The anti-virus program may then take corrective action, such as notifying a user or administrator of the computer system of the virus, isolating the file or data, deleting the file or data, etc.
Typically, computer viruses are transmitted in infected executable files or files that contain macros. Executable files include executable code that is intended to be run on a computer system. Thus, anti-virus programs typically scan executable files in order to find viruses. However, there also exist viruses that infect data files, rather than executable files. Anti-virus programs that scan files stored on disk in a computer system and/or data that is being transferred or downloaded to a computer system typically scan both executable files and data files. However, the existence of viruses that infect data files means that anti-virus programs that perform their scans when a file is accessed must also scan data files, as well as executable files and macro-containing files.
For example, the MICROSOFT WINDOWS® INI file format is used by a large number of application programs to store configuration data. One example of such a program is some Internet Relay Chat (IRC) clients that use INI format files to contain scripts that control the behavior of the client. This scripting can be powerful enough that is possible to write viruses or worms using such scripting.
Typically, write access is performed to data files much more frequently than to executable files. Such write access is often inefficiently performed. Because of this, the presence of an anti-virus program with on-access scanning can introduce significant performance degradation as the data file is scanned each time it is changed, in order to check for the possible introduction of a virus or other malware. For example, a file in the INI file format is a text file, in which each piece of information consists of one line of text. A typical and reasonable way for an application to write information to a file having the INI file format is to open the file, write a line of text, and close the file again. This process is repeated for each line that is to be written. When no on-access anti-virus scanner is present, this technique is inefficient, but typically causes little noticeable performance degradation because there is not a lot of processing involved with each individual write. However, when an on-access anti-virus scanner is present, the file is scanned for viruses after each line is written. A single scan would likely not be noticeable, but when many such scans are performed in a short period of time, the cumulative effect is significant and causes significant and noticeable performance degradation of the application program.
A need arises for a technique by which on-access malware scanning of data files can be performed without introducing significant performance degradation.